CVE-2024-10517 – ProfilePress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10517 – ProfilePress – Stored XSS to JS Backdoor Creation – POC

ProfilePress is a popular WordPress plugin used for creating and managing user login, registration, and profile forms. It provides features to enhance user experience and website functionality. However, a critical vulnerability, CVE-2024-10517, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “User Login” field of a new form, which is then stored and executed on the site. The vulnerability can lead to account takeover and the creation of a backdoor for the attacker, compromising the integrity of the WordPress installation. With over 200,000 active installations, this vulnerability represents a significant security risk for websites using ProfilePress.

CVE-2024-10518 – ProfilePress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10518 – ProfilePress – Stored XSS to JS Backdoor Creation – POC

ProfilePress, a popular WordPress plugin used for user registration, login forms, and membership management, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10518. This flaw allows an attacker to inject malicious JavaScript into the plugin’s settings, particularly in the “Name” field of the Membership Plan configuration. When executed, the injected JavaScript can create a backdoor, allowing the attacker to take control of the WordPress site. With over 200,000 active installations, this vulnerability poses a significant security threat to a large number of WordPress sites.

Plugin Security Certification (PSC-2024-64531): “Health Check & Troubleshooting” – Version 1.7.1: Use Health Checks with Enhanced Security

Plugin Security Certification (PSC-2024-64531): “Health Check & Troubleshooting” – Version 1.7.1: Use Health Checks with Enhanced Security

Managing a secure and efficient WordPress site is a top priority for any website owner. The Health Check & Troubleshooting plugin has been specifically designed to ensure your WordPress installation remains in optimal condition. Whether you’re debugging a theme conflict or performing routine checks, this plugin offers a robust suite of tools to maintain site stability and security. With its recent Plugin Security Certification (PSC-2024-64531) from CleanTalk, you can now use the plugin with the confidence that it meets stringent security standards.

CVE-2024-10637 – Kadence Blocks – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10637 – Kadence Blocks – Stored XSS to JS Backdoor Creation – POC

Kadence Blocks, a popular WordPress plugin used to extend the functionality of the Kadence theme by adding custom blocks, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10637. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into a new post, which is then stored and executed. The vulnerability can lead to the creation of a JavaScript backdoor, which can escalate privileges to admin level, allowing attackers to take control of the site. With over 400,000 active installations, this vulnerability presents a significant security risk to WordPress sites using Kadence Blocks.

CVE-2024-10893 – WP Booking Calendar – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10893 – WP Booking Calendar – Stored XSS to JS Backdoor Creation – POC

WP Booking Calendar is a widely-used WordPress plugin that enables users to manage and book appointments directly from their WordPress site. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-10893. This vulnerability allows attackers to inject malicious JavaScript code into the plugin’s “Message title” field. The flaw can be exploited by users with any role, including editors, and can lead to the creation of a backdoor through which attackers can hijack accounts and take control of the site. With over 50,000 active installations, this vulnerability represents a significant security risk.

Plugin Security Certification (PSC-2024-64545): “OneSignal – Web Push Notifications” – Version 3.0.6: Use Notifications with Enhanced Security

Plugin Security Certification (PSC-2024-64545): “OneSignal – Web Push Notifications” – Version 3.0.6: Use Notifications with Enhanced Security

OneSignal – Web Push Notifications – A powerful plugin designed to boost user engagement and retention by sending targeted push notifications. Whether you’re a startup or an enterprise, OneSignal ensures seamless delivery of notifications across platforms, driving re-engagement with your website even after users have left. With a simple setup process and advanced features like real-time analytics, A/B testing, and user segmentation, this plugin is trusted by millions worldwide. Its robust infrastructure and commitment to security make it a reliable choice for businesses of all sizes. Additionally, OneSignal has undergone rigorous security testing and received the prestigious Plugin Security Certification (PSC) from CleanTalk, ensuring a secure and dependable solution for managing push notifications.

Plugin Security Certification (PSC-2024-64531): “Click to Chat” – Version 4.12.1: Use WhatsApp with Enhanced Security

Plugin Security Certification (PSC-2024-64531): “Click to Chat” – Version 4.12.1: Use WhatsApp with Enhanced Security

WhatsApp Chat – A versatile and user-friendly plugin designed to connect your website visitors with you via WhatsApp or WhatsApp Business. With a single click, users can initiate chats seamlessly, whether on mobile or desktop devices. The plugin offers extensive customization options, enabling you to tailor its appearance and functionality to suit your website’s design. Beyond convenience, WhatsApp Chat prioritizes security, ensuring user data is handled safely. The plugin has undergone comprehensive security testing and has earned the prestigious Plugin Security Certification (PSC-2024-64531) from CleanTalk, providing website owners with peace of mind and a secure integration option.

CVE-2024-10980 – Element Pack Elementor Addons – Stored XSS to Admin Account Creation – POC

CVE-2024-10980 – Element Pack Elementor Addons – Stored XSS to Admin Account Creation – POC

Element Pack, a popular addon for the Elementor page builder, adds various widgets and elements to enhance the functionality of WordPress sites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10980, has been discovered in the plugin. This flaw allows attackers with contributor privileges to inject malicious JavaScript into a post’s “Message” field within the “Cookie Consent” block, which is then executed when the content is viewed. This vulnerability can lead to admin account creation and full control of the affected WordPress site, posing a serious security risk to the over 100,000 active installations of Element Pack.

CVE-2024-10896 – Logo Slider – Stored XSS to Admin Account Creation – POC

CVE-2024-10896 – Logo Slider – Stored XSS to Admin Account Creation – POC

The Logo Slider plugin for WordPress, which enables users to display brand logos and images in a slider format, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10896. This flaw allows attackers with contributor-level access to inject malicious JavaScript into the plugin’s settings, which is then executed when the slider block is interacted with on the front-end. This vulnerability can lead to serious consequences, including the creation of an admin account and full site compromise. With over 30,000 active installations, the potential impact of this vulnerability is significant for WordPress sites using the Logo Slider plugin.